you could manage your IT operations throughout the
year as recommended by regulators and IT auditors for less than 10 dollars a week? You can - by relying
on The Weekly IT Security Review. Designed especially for
management, the Review provides a weekly
analysis of IT security issues. For more
information and to subscribe visit
Registrar 'incredibly' changed our e-mail for hacker - A hacker who
took down top Chinese search engine Baidu.com last month broke into
its account with a U.S. domain name registrar by pretending to be
from Baidu in an online chat with the registrar's tech help,
according to a lawsuit filed by Baidu.
Threee Bulgarians charged in 44-day ATM hacking spree - Three
Bulgarian men were charged Wednesday with defrauding banks of more
than $137,000 in a scheme that attached electronic skimming devices
to numerous automatic teller machines in Massachusetts.
Vulnerabilities fell in '09, attacks rose - The 2009 cybersecurity
landscape had its peaks and its valleys - the number of new and unpatched vulnerabilities decreased compared to 2008, but attack
volume grew substantially, according to a research report from IBM
Deposit money by taking a photo - In the near future, you might not
even have to visit a bank or an ATM to deposit a check. You'll
simply snap a couple of photos of it with your cell phone.
DoD Loosens Social Media Restrictions - Soldiers and Defense
Department employees will now be able to access Facebook, Twitter,
YouTube, and other social media sites on the military's unclassified
network, according to new policy issued this week.
Medical identity theft is costly for victims - When your wallet is
lost or stolen, the first thing you probably do is call your credit
card companies. You should also notify your medical insurance
provider judging from the conclusions of a report to be released on
Wednesday that finds that medical identity fraud can be very costly.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Intel hit by 'sophisticated' hack last month - Intel says it was hit
by a "sophisticated incident" in January in which hackers attempted
to breach its digital defenses, making it the latest US company to
admit it is being targeted by online miscreants.
HHS Posts Data Breach Notifications - The Office for Civil Rights in
the Department of Health and Human Services has launched a Web page
listing covered entities that have reported breaches of unsecured
protected health information affecting more than 500 individuals.
Wyndham hotels hacked again - Hackers broke into computer systems at
Wyndham Hotels & Resorts recently, stealing sensitive customer data.
The break-in occurred between late October 2009 and January 2010,
when it was finally discovered. It affected an undisclosed number of
company franchisees and hotel properties that Wyndham manages.
Four charged with hacking ticket vendors - In what may prove to be a
big win for concert-goers, four men were indicted and charged with
using fraud, deceit and computer hacking to get first dibs on
tickets to major sporting events, theater productions and concerts,
and then reselling them to ticket brokers.
PlainsCapital didn't halt cyber-robbery - A Plano business that lost
nearly $230,000 through an alleged cyber-robbery last year says in
court documents PlainsCapital Bank had plenty of chances to head off
the heist as it started.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue the series
regarding FDIC Supervisory Insights regarding
Programs. (10 of 12)
Test affected systems or procedures prior to implementation.
Testing is an important function in the incident response
process. It helps ensure that reconfigured systems, updated
procedures, or new technologies implemented in response to an
incident are fully effective and performing as expected. Testing can
also identify whether any adjustments are necessary prior to
implementing the updated system, process, or procedure.
During the follow-up process, an institution has the opportunity to
regroup after the incident and strengthen its control structure by
learning from the incident. A number of institutions have included
the following best practice in their IRPs.
Conduct a "lessons-learned" meeting.
1) Successful organizations can use the incident and build
from the experience. Organizations can use a lessons-learned meeting
2) discuss whether affected controls or procedures need to be
strengthened beyond what was implemented during the recovery phase;
3) discuss whether significant problems were encountered during the
incident response process and how they can be addressed;
4) determine if updated written policies or procedures are needed
for the customer information security risk assessment and
information security program;
5) determine if updated training is necessary regarding any new
procedures or updated policies that have been implemented; and
6) determine if the bank needs additional personnel or technical
resources to be better prepared going forward.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue the
series from the FDIC "Security Risks Associated with the
Digital signatures authenticate the identity of a sender, through
the private, cryptographic key. In addition, every digital
signature is different because it is derived from the content of the
message itself. T he combination of identity authentication and
singularly unique signatures results in a transmission that cannot
Digital signatures can be applied to any data transmission,
including e-mail. To generate a digital signature, the original,
unencrypted message is run through a mathematical algorithm that
generates what is known as a message digest (a unique, character
representation of the data). This process is known as the "hash."
The message digest is then encrypted with a private key, and sent
along with the message. The recipient receives both the message and
the encrypted message digest. The recipient decrypts the message
digest, and then runs the message through the hash function again.
If the resulting message digest matches the one sent with the
message, the message has not been altered and data integrity is
verified. Because the message digest was encrypted with a private
key, the sender can be identified and bound to the specific
message. The digital signature cannot be reused, because it is
unique to the message. In the above example, data privacy and
confidentiality could also be achieved by encrypting the message
itself. The strength and security of a digital signature system is
determined by its implementation, and the management of the
Return to the top of
INTERNET PRIVACY - We continue
our review of the issues in the "Privacy of Consumer Financial
Information" published by the financial regulatory agencies.
Nonpublic Personal Information:
"Nonpublic personal information" generally is any
information that is not publicly available and that:
1) a consumer provides to a financial institution to obtain a
financial product or service from the institution;
2) results from a transaction between the consumer and the
institution involving a financial product or service; or
3) a financial institution otherwise obtains about a consumer in
connection with providing a financial product or service.
Information is publicly available if an institution has a reasonable
basis to believe that the information is lawfully made available to
the general public from government records, widely distributed
media, or legally required disclosures to the general public.
Examples include information in a telephone book or a publicly
recorded document, such as a mortgage or securities filing.
Nonpublic personal information may include individual items of
information as well as lists of information. For example, nonpublic
personal information may include names, addresses, phone numbers,
social security numbers, income, credit score, and information
obtained through Internet collection devices (i.e., cookies).
There are special rules regarding lists. Publicly available
information would be treated as nonpublic if it were included on a
list of consumers derived from nonpublic personal information. For
example, a list of the names and addresses of a financial
institution's depositors would be nonpublic personal information
even though the names and addresses might be published in local
telephone directories because the list is derived from the fact that
a person has a deposit account with an institution, which is not
publicly available information.
However, if the financial institution has a reasonable basis to
believe that certain customer relationships are a matter of public
record, then any list of these relationships would be considered
publicly available information. For instance, a list of mortgage
customers where the mortgages are recorded in public records would
be considered publicly available information. The institution could
provide a list of such customers, and include on that list any other
publicly available information it has about the customers on that
list without having to provide notice or opt out.